Security, Counterterrorism, Education

How real is the threat of some so-called “hackers”?

It became a routine action for the Romanian security agencies to arrest and expose various hackers and cyber criminal networks. A look into some of the cases show that some of them are simply fool players who do not represent a real threat, as they are presented by Romanian police. Some of them never ever get a conviction or any charges, simply because further evidence of their activities show they did not do serious harm.

The latest case of this type occurred in February.

Romanian police arrest alleged hacker in Pentagon, NASA breaches. Razvan Manole Cernaianu is accused of revealing security holes and publishing information about SQL injection vulnerabilities in those agencies. A 20-year-old hacker who goes by the Internet name TinKode was arrested recently by Romanian police after he bragged about hacking into Pentagon and NASA computer systems.

Razvan Manole Cernaianu is accused of revealing security holes and publishing information about SQL injection vulnerabilities in those agencies. The Romanian Directorate for Investigating Organized Crime and Terrorism said Cernaianu also offered a computer program on his blog that could be used to hack into websites and published a video showing Internet attacks he had made against the U.S. government. The FBI and NASA assisted in the investigation. The U.S. Embassy in Bucharest said Cernaianu used, “advanced hacking tools to gain unauthorized access to government and commercial systems.” Cernaianu allegedly hacked into a computer server at NASA’s Goddard Space Flight Center last April, and posted a screen grab that showed files connected to confidential satellite data. Anthony M. Freed, managing editor of Infosec Island, says that TinKode is known to have taken advantage of several well-known vulnerabilities that many of his targets should have resolved before he exploited them through SQL injections — a technique many security experts now derisively call “Hacking 101.”

“His targets tend to be large entities that undoubtedly have complex network deployments and multiple interfaces for third parties like contractors or client bases,” says Freed, “which provide a higher product probability of his finding unprotected points of entry.” Freed says penetration by a determined hacker is almost guaranteed in networks of this size. “They should focus on detection and data protection within the networks,” he says, “while working under the assumption that they will not be able to prevent all breach attempts.

“Advanced monitoring systems, appropriate data classification, and secondary authentication protocols for access to the most sensitive information is critical both for detecting an intrusion and slowing hackers progress. This can buy the needed time to lock down the compromised system and prevent data theft.”

Gary McGraw, CTO of Cigital, says if TinKode didn’t want to get caught, he should not have been bragging so publicly. “If you go looking for attention, you’re probably going to get it,” he says. McGraw says the damage caused was probably minor. “But, to get past all of these silly problems, agencies like these should build systems with security in mind in the first place. Right now they are trying to fix broken systems.”